sublimemediumRule

BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566.003 T1598 T1566 T1598.003

initial-access

Detection Query

type.inbound
and 3 of (
  // urgent subjects
  strings.ilike(subject.subject, '*quick question*'),
  strings.ilike(subject.subject, '*urgent*request*'),
  strings.ilike(subject.subject, '*are you available*'),
  strings.ilike(subject.subject, '*need assistance*'),
  strings.ilike(subject.subject, '*help*needed*'),
  regex.icontains(subject.subject, 'favor\b'),
  strings.ilike(subject.subject, '*checking in*'),
  strings.ilike(subject.subject, '*awaiting*response*'),
  strings.ilike(subject.subject, '*catch*up*'),

  // BEC body patterns
  strings.ilike(body.current_thread.text, '*sorry to bother*'),
  strings.ilike(body.current_thread.text, '*are you busy*'),
  strings.ilike(body.current_thread.text, '*can you help*'),
  strings.ilike(body.current_thread.text, '*do you have a moment*'),
  strings.ilike(body.current_thread.text, '*please respond*asap*'),
  strings.ilike(subject.subject, '*quick question*'),

  // brand name
  regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
  regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
  regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),

  // short body
  length(body.current_thread.text) < 200,
  strings.count(body.current_thread.text, ' ') < 30
)
and 3 of (
  // suspicious sender
  sender.email.domain.root_domain in $free_email_providers,
  network.whois(sender.email.domain).days_old < 30,

  // suspicious recipient pattern
  any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
  length(recipients.to) == 1, // Single recipient

  // header checks
  strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
  strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
  // deifferent reply-to address
  (
    length(headers.reply_to) > 0
    and sender.email.email not in map(headers.reply_to, .email.email)
  ),
  // sender display name is part of the subject
  strings.icontains(subject.subject, sender.display_name),
)
and profile.by_sender_email().prevalence not in ("common")

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns"
description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 3 of (
    // urgent subjects
    strings.ilike(subject.subject, '*quick question*'),
    strings.ilike(subject.subject, '*urgent*request*'),
    strings.ilike(subject.subject, '*are you available*'),
    strings.ilike(subject.subject, '*need assistance*'),
    strings.ilike(subject.subject, '*help*needed*'),
    regex.icontains(subject.subject, 'favor\b'),
    strings.ilike(subject.subject, '*checking in*'),
    strings.ilike(subject.subject, '*awaiting*response*'),
    strings.ilike(subject.subject, '*catch*up*'),
  
    // BEC body patterns
    strings.ilike(body.current_thread.text, '*sorry to bother*'),
    strings.ilike(body.current_thread.text, '*are you busy*'),
    strings.ilike(body.current_thread.text, '*can you help*'),
    strings.ilike(body.current_thread.text, '*do you have a moment*'),
    strings.ilike(body.current_thread.text, '*please respond*asap*'),
    strings.ilike(subject.subject, '*quick question*'),
  
    // brand name
    regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
    regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
    regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
  
    // short body
    length(body.current_thread.text) < 200,
    strings.count(body.current_thread.text, ' ') < 30
  )
  and 3 of (
    // suspicious sender
    sender.email.domain.root_domain in $free_email_providers,
    network.whois(sender.email.domain).days_old < 30,
  
    // suspicious recipient pattern
    any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
    length(recipients.to) == 1, // Single recipient
  
    // header checks
    strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
    strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
    // deifferent reply-to address
    (
      length(headers.reply_to) > 0
      and sender.email.email not in map(headers.reply_to, .email.email)
    ),
    // sender display name is part of the subject
    strings.icontains(subject.subject, sender.display_name),
  )
  and profile.by_sender_email().prevalence not in ("common")
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
  - "Spam"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
  - "Free email provider"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
  - "Whois"
id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"